Using PowerShell to Continuously Audit Security of Active Directory

Introduction

The phrase I most often hear in the auditing world today is "continuous auditing." The term itself brings something totally different to mind, compared to what it actually means. However, the reality is that continuous auditing is necessary, wanted, and in most cases required. When it comes to Windows networks the concept of continuous auditing is new and not that well understood. Auditors are frustrated and confused as to what they can do to meet their needs and requirements. After months of research, education, and testing I have put together an array of options that auditors can use in order to complete, at least at a minimum, the auditing of Active Directory.

Defining Security Continuous Auditing

I first must define what my interpretation of continuous auditing is. After my initial understanding of continuous auditing, I did some research to find what the industry considers to be continuous auditing. The following are my findings:

The need to ask an administrator for a security setting in real time.

The need to gather information without the administrator's assistance that is, no administrator privileges are required, in real time.

The need to gather continuous reports of specific settings, such as group membership, etc.

There are most likely other definitions that you might come across but these are some of the key instances of when an audit would need to be accomplished outside of the annual or bi-annual audit.

Using PowerShell for Continuous Auditing

PowerShell is a free and powerful tool that was developed by Microsoft for Windows XP and later versions. PowerShell now comes standard in Windows Server 2008 and Windows 7, but it needs to be installed on Windows XP and Server 2003 if you need to run the tool there.

PowerShell does require some local administrative access, as you will see, but does not require ANY domain level administrative access for the gathering of security settings that are included in this document. The biggest issue is setting up PowerShell so it can gather the required information.

Obtaining PowerShell

There are two versions of PowerShell that you can obtain. Each version can run on certain OS platforms. Below is a list of the versions of PowerShell, where to obtain the PowerShell install bits, and which operating systems the version of PowerShell supports.

Setting up PowerShell

Once you get PowerShell installed, you still need to do some additional tasks to be bale to run your cmdlets (Commandlets as they are called). Since PowerShell is designed to be secure by default, you will need to loosen up security in order to run some cmdlets, such as the one listed in this article.

To loosen up security of PowerShell, you will launch PowerShell on your computer as a local administrator. (If you don't have local Administrator privileges on your local computer, you will need to get someone that does have this privilege to perform this task. IT is the ONLY task that needs to be run as a local admin which is listed in this document).

From within the PowerShell window, run:

set-executionpolicy

Then, when prompted as shown in Figure 1, type:

remotesigned

This can also be seen in Figure 1.

Figure 1: Setting PowerShell to run non-signed cmdlets.

Now, you can run the PowerShell cmdlets that are described below without any errors due to security restrictions.

Obtaining the PowerShell Cmdlet for AD

Now, you need to get the PowerShell cmdlet for AD that is explained in this article. At the end of this article I am going to list the contents of the cmdlet, but you can also get it from the original site where I obtained it. The original site is found here.

In order to get the cmdlet configured and saved properly, you need to perform the following steps:

Copy the contents of the online code from the link above or the code below in this article using the standard Windows "highlight text", then select copy.

Insert or paste the text from step 1 into Notepad. (You can't use Word, as this will potentially put extra characters into the code, which will cause the cmdlet to not run.)

Save the notepad file as a .ps1 file (Be sure to not save with the standard .txt extension! This might be tricky if you have never done this. To ensure this is saved correctly, make sure you select "All Files" when saving the file and manually input the .ps1 extension.)

Now you are ready to run some cmdlets!

Running Your New PowerShell Cmdlet

In order to run the cmdlet properly, you should maneuver over to the folder where you saved the .ps1 file. PowerShell accepts standard Command Line syntax, such as:

cd c:\pscmdlets

This will move the PowerShell current position to the pscmdlets folder under the root c:\. Just change the path to where you have placed your .ps1 file.

Now, you must input the correct syntax to make the cmdlet work. The way we are PowerShell you must type .\ before the cmdlet name. To run the cmdlet type:

.\getadinfo.ps1

This should produce the output similar to what you see in the beginning of the code listed below.

Obtaining AD Info

Here are some cmdlet commands you can run to gather some pretty powerful info from AD:

Summary

PowerShell is awesome, powerful, and free. It allows administrators and auditors to gather information about Active Directory with little effort. You can get information about user accounts, group accounts, the domain, etc. PowerShell was designed to update, analyze, and modify Windows computers, so it is ideal for this task. In my next article I will cover how to use third party tools which leverage PowerShell, as well as show you how to put PowerShell cmdlets into scheduled tasks for "true continuous auditing"!

Latest Podcast

Featured Freeware

Recommended

Follow Us

Using PowerShell to Continuously Audit Security of Active Directory

TECHGENIX

TechGenix reaches millions of IT Professionals every month, and has set the standard for providing free technical content through its growing family of websites, empowering them with the answers and tools that are needed to set up, configure, maintain and enhance their networks.